Hello, welcome to the Wednesday, November 23rd, 2016 edition of the Sands and it, Storms,

Stormcast. My name is Johannes Ulrich and the day I'm recording from Jacksonville, Florida.

If you're running WordPress, one thing you should and are probably aware of is that you need to

regularly update WordPress to make sure that you're patching

recently found vulnerabilities. Well it turns out in order to do so you need to connect to

one of WordPress's servers and download an update but as it turns out the only verification

of the update that's happening is an MD5 hash,

which of course at this point is not secure enough and could possibly be spoofed.

Now, these updates happen over SSL, so you still have the SSL layer here to protect yourself.

But as the author of this particular

advisory points out, WordPress still supports PHP 5.2.4, which doesn't support a lot of the

more modern advances to SSL. So you may also be out of luck there and opening yourself up to a man in the middle condition

that would allow someone to spoof the update server. The fix, well, there isn't really a fix

that you could apply easily. At least you should update to the latest version of PHP. So you do

have full access to everything that SZL has to offer.

Of course, this really has to be fixed on the WordPress side.

They need to use something else than an MD5 hash in order to check the integrity of the download.

At this point, I would say an MD5 hash is good enough to check for an accidental

corruption of the download, but not really good enough as a cryptographic verification. In order

to do that, you also need a secret, so you probably want, as the advisory suggests, use a private

public key algorithm in order to properly verify

these downloads.

...